Scribd Logo
Upload

Welcome to Scribd!

  • Iso 31000 PDF

    Uploaded by

    Arianto Paliling
    12 views30 pages

    Original Title

    352698177-ISO-31000-pdf.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    12 views30 pages

    Iso 31000 PDF

    Uploaded by

    Arianto Paliling

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 30
    INTERNATIONAL Iso STANDARD 31000 First ociton 2000-14-15 Risk management zFaineiptes and guidelines & Management du risque — Principes et lignes directrices Reference number 180 31000-20051) 8 180 2008 ISO 31000:2009(E) Ics 03.10.01 Price bated on 24 pages © 180 2009Al rifts reserved INTERNATIONAL STANDARD 180 31000:2009(E) Risk management — Principles ani 1 Scope This international Standard provides principles and genaric guidelines on risk management Thie International Standard can be usad by any public, private or community enterprise, association, group or individual. Therefore, this international Standard Is not specific to any industry ar sector. NOTE For convenience, all he alterent users of tis Interrational Standard are reterred to by ine general term ‘organization’ Thie International Standard can te applied throughout the life of sn organization, and to a wide range of activities, Molucing strategies and decsions, operations, processes, functions, projects, products, services and sesets, This International Standard can be applied to any type of risk, whatever its nature, whether having positive or negative consequences, Although this International Standard provides generic guidelines, itis not intended to promote uniformity of risk management across organizations. The design and implementation of risk management plans and frameworks will ned to take inio account the varying needs of a specific organization, its particular objectives, context, siructure, operations, processes, functions, projects, producis, services, or assels and specific practices employed. «itis intondod that this International Standard be utiized to harmonize risk management procasees in exising and. fulure standards. I provides @ common epproach in support of standards dealing with specie risks ‘andlor sectors, and does net replace those standards. This International Standard is not intonded for the purpose of certification. 2 Terms and definitions For the purposes of tis document, the following terms and definitions apply. 2A risk effect of uncertainty on objectives NOTE 1 An effectis a devietion ftom the expected — positive andlor negative, NOTE2 __ Objectives can have different aspects (such as financial, neeitn and safety, and environmental goats) and can apply at diferent levele (such 2s strategic, orgarization-wa, project preduct and process). NOTE 3 Risk is often characterized by reference to petential events (2.17) and consequences (2.18), or a combination ofthese. NOTE4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) anc the essoziated likelihood (2.19) of occurrence. (©180.2009 ~All rights reserved 1 ISO 31000:2009(E) NOTES Uncertainty isthe state, even partial, of deficiency of information related to, understanding er krowladga of an ‘evant, ts consequencs, or ikainoo. {ISO Guide 73:2008, detintion 7.1} 22 k management coordinated activities to direct and control an organization with regard to risk (2.1) [ISO Guide 73:2009, definition 2.1] 2.3 tisk management framework ‘set of components that provide the foundations end organizationsl errangements for designing, implementing, monitoring (2.28), reviewing and continually improving risk management (2.2) throughout the organization NOTE 1 The foundations helude the policy, cblactves, mancate and commitment to manage risk (2.1) NOTE 2 The organizational arangsments include plans, felaionshps, accountabiites, resources, processes and activities. NOTE 3 The sek managerrent framework is embedded within the organizaton's overall stategic and operatonal paicies and practices, {180 Guide 73.2008, defintion 2.1.1] 24 risk management policy ‘statement of the overall intentions end direction of an organization related to risk management (2.2) lISO Guide 73:2008, detintion 2.1.2] 25 risk attitude organization's approach {o assess and eventually pursue. retain, take or tum away from risk (2.1) [180 Guide 73:2008, definition 3.7.1.1] 26 tisk management pla scheme within the risk management framework (2.3) specifying the approach, the management components and resources to be applied to the management of risk (2.1) NOTE 1 Management components typically Include procedures, practices, assigrment of responsiblites, sequence and timing of acsitios. NOTE 2 The risk management plan can be applied lo a pautieular product, process and project, and part or whole of the organization [1SO Guide 79:2008, definition 2.1.3] 27 risk owner person or entity with the accountability and authority to manage a risk (2.1) [iSO Guide 73:2008, defintion 3.5.1.5] 2 (© 180 2008-All rats reserved 28 risk management process systematic application of managemont policies, procedures and practices to the oetivies of communicating, ‘consuting. establishing the contexi, and identifying, analyzing, evaluating, eating, monitoring (2.28) and reviewing risk (2.1) [180 Guide 73:2009, definition 3.1] 23 jstablishing the context defining the external and intemal parameters to be taken into account when managing rsk, and setting the ‘scope and risk criteria (2.22) for the risk management policy (2.4) [ISO Guide 73:2009, definition 3.3.1] 2.10 ‘external context extemal environment in which the organization seeks to achieve its objectives NOTE _Exiemalontext can include: — the cultural, socal, poltical, legal, regulatory, ancl, technological, economic, natural and competitve environment, whethar intamational, rational, regional or local — key divars and tronds having impact onthe objecives cf the organization: and ‘oionehps wih, and percontons ane values of external stakeholders (2 19) [180 Guide 73:2009, definiion 3.3.4.1] 2a internal context internal environment in which the organization seeks te achieve lls objectives # NOTE Internal context can irchide: — governance, orgentemonsl structure, oles end accounts, — polies, cjocives, and te strategies that are In place to achieve them: — the capabilities, understood in tems of resources and knowledge (2.9. capital, tens, people, processes, systems and technologies) — information sysiems, information flows and decisionmaking precesses (toth formal and informal); — r@alionships wth, and perceptions and values cf, internal siaksholders; the organization's cuture: — standards, guidelines and models adopted by the organization: and — form and extent of contractual relationships. [ISO Guide 73:2009, definition 3.3.1.2) 242. ‘communication and consultation ‘continual and ierstive processes thai an organization conducts to provide, share or obtsin information and to ‘engage in dialogue with stakeholders (2.13) regarding the management of risk (2.1) @1S0 2009 Allright reserved & ISO 31000:2009(E) NOTE 1 The informaton can relate to the existence, nature, form, Hi ‘acceptability and treatment ofthe managament of nk. hood (2.19), significance, a as NOTE2 _Corsultaton 6a two-way orocess ct infomes communication betwsen an organization aris stakstowsrs onan cus ooo mating a deceion oréotermning advection on that eevo. Coneulain Ie = mprocess which impact en w decision ough influence rather than power and — 21 input decision making, notin decision making 1150 Guide 73:2008, definition 3.2.1] 243 stakonolder person or organization that can affect, be affected by, or perceive themselves tobe alfecied by a decision or acivity NOTE decison makorcan to.a stakeholder. {180 Guide 78:2006, definition 9.2.4.1] 2.14 tisk assessment overall process of risk Identification (2.15), risk analysis (2.21) and risk evaluation (2.24) {!80 Guide 78:2008, defrition 3.4.1] 2.45 tisk identification process of finding, recognizing and describing risks (2.1) NOTE 1 Risk Kentifcation Invoives the idertifcation of Hak sources (2.16), potential consequences (2 18) nts (2.17), thelr causes and ther NOTE 2° Risk \dectifcaton can invcive tistical data, theorstical analysis, informed and aspen opinions. and stakeholders (2.12) needs [180 Guide 73:2009, defiition 3.5.1] 246 tisk source element which alone or in combination has the intrinsi¢ potential to give rise to risk (2.1) NOTE Arisk source can be tangible or intangible [ISO Guide 79:2008, defintion 3.5.1.2] 247 ‘event ‘occurrence or change of a particular set ot circumstances NOTE1 An evant cen be one or more cccurences, and can have several causes. NOTE2 An event can consist of something not happening, NOTE3 An event can sometimes be referred to ws an “incident” or ‘accider NOTE 4A event without consequences (2.18) can aiso be referred to as a ‘neer miss”. “incident, ‘near hit" or “close call” [ISO Guide 73:2008, definition 3.5.1.3] 4 (@ 180 2009 Al rats reserved 248 consequence outcome of an event (2.17) affecting objectives NOTE 1 An eventcan land toa range of consequences. NOTE 2 Acorsequence can be certain or uncertain and can ha positve or negative affects on cbjectives. NOTE 3 Consequences can be expressed qualitatvaly or quanttatvely. NOTE 4 Inti coreaquances can eecsiate through knock-on eft. [180 Guide 79:2009, definition 3.5.1.9), 249 likelihood chance of something happening NOTE 1 In isk management terminciogy, he word "ikelItond” is used to rafer to the chance of something happening, whether defined. measuied or caterminad objectvaly or subjectively. quaitalvaly or quantitatively. anc desorbed using general terms er mathematically (such a6 a probability or a frequency over a given time period). NOTE2 _ The Erglich to-m “Ikethood! dogs not heve a direct aquivalort mn some languages: Inetead, the equivalent of the term “probapilty’Is often used. Howsver, In English, ‘prodablty"Is often narrowly interpreted as a matnecratica term, Therefore, In risk management terminology, “iikalhood’ is used with the Intert that k should have the came broad Interpretation as the farm “probabilty" has In many languages ether than English {180 Guide 79:2009, definition 3.6.1.1) 220 isk profilo description of any set of risks (2.1) NOTE The set of sks can contain those that relate to the whole orgenizatior sthenvise defined, part of the organization, or as [ISO Guide 73:2009, definition 3.8.2.5) 224 risk analysis process to comprehend the nature of risk (2.1) and te determine the level of risk (2.23) NOTE 1 Risk analysis provides the basi for risk evaluction (2.24) and dations ebout risk treatment (2:25), NOTE 2 — Risk analyse includes risk ostimation. [ISO Guide 73:2009, defiition 3.6.1] 222 risk criteria terms of reference against which the significance of a risk (2.1) is evaluated NOTE 1 Risk crteria are based on organizational objectves, and external (2.10) and internal context (2.11). NOTE 2 Risk orteria can be derived trom standarcs, laws, policies and other requirements. {180 Guide 73:2008, definition 3.3.4.3] (150.2008 — Alig raservad 5 ISO 31000:2009(E) 2.23 level of risk magnitude of a risk (2.1) or combination of risks, expressed in terms of the combination of consequences. (218) and their likelihood (2.19) [IS Guide 73:2009, definition 2.6.1.8] 224 risk evaluation process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) andlor its magnitude is acceptable or tolerable NOTE Risk evaluation assists in the decision about risk treatment (2.25) [ISO Guide 73:2009, defirition 3.7.1] 2.25 risk treatment process to modify risk (2.1) NOTE1 Risk treaiment can involv: avoiding the risk by deciding not to star or continue with the activity that gives rae tothe risk — taking ot inoreasingriskin ordorto pursue an epperturity: = removing the risk source (2.16): — changing the tkstihood (2.18); — changing the consequences (2.18); = sharing the rise wih another perty or partes (including contracts and risk francing), and —ftalhing the risk by inferred decision NOTE 2 _ Risk treatments that deal with negalve consequences are sometimes referred to as ‘isk mitigation” ‘mination’, risk preventin’ and ‘ak reduction’ isk NOTE Risk reaimont can create new risks oF modify existing tsks [ISO Guide 73:2009, defirition 3.8.1] 3 226 control measure that is medifying risk (2.1) NOTE 1 Contos include any process, policy, device, practice, or ofer actions which modify risk NOTE2 —Contiols may not always exert the intended or assumed moaitying ettect. [180 Guide 73:2009, defiriton 3.8.1.1), risk (2.1) remaining ater risk treatment (2.25) NOTE 1 Residual risk can contain unidentied risk. NOTE 2 Residual risk can also be known eg "retained risk’. [ISO Guide 73:2009, definition 3.8.1.6] 6 {180 2009 -Allrights reserved 2.28 monitoring continual checking, supervising, crically observing or determining the status in order to identify change from the performance laval raquirad or expectad NOTE _Montoring can he applied to 2 risk management framework (2.3), risk management process (28), risk (2.1) or control (2.25) [1SO Guide 73:2009, definition 3.6.2.1] 2.29 review aciivity undertaken to determine the suitability, edequacy and effectiveness of the subject matter to achieve established objectives NOTE __Revow can bo applied to 2 risk management framawork (2.3), risk management process (2.8), isk (2-1) or control (2.26) {180 Guide 73:2009, defition 3.8.2.2] 3. Principles For risk management to be effective, an organization should at all levels comply with the principles below. 2) Risk management ci 198 and protects value. Risk management contributes to the emonstrable achievement of objectives and Improvement of performance in, for example, human health and safety, securiy, legal and regulatory compliance, public acceplance, environmental protection, product quality, projact management, efficiency in operations, ‘governance and reputation, b). Risk management is an integral part of all organizational processes. Risk management Is not a stand-alone activity that is separate from the main activites and processes of the organization. Risk management is part of the responsitilties of management and an integral part of all organizational processes, inciuding strategic planning and all project and change management processes. ¢) Risk management is part of decision making Risk management helps decision makers make informed choices, prioritize actions and distinguish among altemative courses of action. ) Risk management explicitly addresses uncertainty Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed, ) Risk management is systematic, structured and timely, A systematic, timaly and structured approach to risk management contributes to efficiency end to consistent, cemparable and refable resus, f) Risk management is b The inputs lo the process of managing risk are based on information sources such as historical date, ‘experience, slakenolder feedback, observation, forecasts and expert judgemen. Hawaver, decision makers should inform themselves of, and should take into account, any limkations of the data or ‘modeling used or the possibilty of divergence among experts. © 150 2008 —Al rights reserved T ISO 31000:200%(E) 9) Risk management is tailored. Risk management is aligned wh the organization's external and internal context anc risk profil. h) Risk management takes human and cultural factors into account. Risk management recognizes the capabiliies, perceptions and intentions of external and intemal people that can facilitate or hinder achievement of the organization's objectives. |) Risk management Is transparent and inclusive. Appropnate and timely involvement of stakeholders and, in particular, decision makers at all levels of tne ‘organization, ensures that risk managoment remains relevant and up-to-date. Involvement also allows ‘slakeholders to be properly represented and to have their Views teken into account in determining risk crtorie. |) Risk management is dynemic, Risk menagement continually senses and responds fo changs. As exiemal and intemal events occur, context and knowedge change, monitoring and review of risks take place, new risks emerge, some change, and others disepoeer. k) Risk management facilitates continual improvement of the organization. Organizations should develop ano implement strategies to Improve thelr risk management matunty alongeide all other aspecis of their organization. ‘Annax A provides further advice for erganizatione wishing to manage risk more effectively. 4 Framework 4.4. General ‘Thé succéee of risk management will depend on the effectivenass of the management framework providing the foundations anc arrangements that wil embed it throughout the organization at all eve's. The framework assists in managing risks effectively through the application of the risk management procass (see Clause 5) at varying levels and within spacifc contexts of the organization. The framework ensures that Information about ‘iek darived from the rick management procase is adequately reported and uted as 9 basis for decision ‘making and accouniabiity at all relevant organizational levels. ‘This clause describes the necessery components cf the framework for managing risk and the way in which they interrelate in an iterative manner, as shown in Figure 2. 8 © 180.2008 Al rts rasarvad @ e°y50 s1000:2009) yy MOE Mandate and commitment (4.2) Ir Design of framework for managing risk (4.3) Understanding the organization and ts context (4.3.1) Establishing risk management policy (4.3.2) Accountabiliy (4.3.3) Integration into organizational processes (4.3.4) Rasourcss (4.3.5) | Establishing iternel communication and reporting | mochanisms (4.3.6) Establishing extemal communication and reporting mechanisms (437) ~ Implementing risk management (4.4) | Sateen eee Implementing tne framework for managing (4.8) risk (4.4.1) Implementing the risk management process. (4.4.2) ‘Monitoring and review of the framework (4.5) Figure 2 — Relationship between the components of the framework for managing risk This framework is not intended to prescribe @ management system, but rather to assist the organization to 5 inlegrate risk management into its overell managernent system, Therefore, organizations should adapt the componenis of the framework to their specific needs. Ian organization's existing management practices and processes include components of risk management or if the organization has already adopted @ formal risk management process for particular types of risk or situations, then these should be ertically reviswed and aeeeceed againe! this International Standard, including ‘he altrbutes contained in Annex A, in order to determine their adequacy and effectiveness, 4.2 Mandate and commitment The introduction of risk management and ensuring its ongoing effectiveness require sirong and sustained commitment by management of the organization. as well as strategic and rigoraus planning to achieve commitment at all levels. Management should: — detine ang encorse the risk management policy: —— ensure that the organizaton's culture and risk management policy are aligned; — determine risk management performance indicators that align with performance indicators of the ‘organization; — allan risk management objectives with the objectives and strategies ot the organization: — ensure legal and regulatory compliance: 180.2008 ~allghis reserved 9 ISO 31000:2009(E) ‘assign accountabilites and responsibilities at appropriate levels within the organizaton; censure that the necessary resources are allocated to risk management: communicate the benefits of risk management to all stakeholders; and tenure that the framework for managing risk continues to remain appropriate. 4.3. Design of framework for managing risk 4.3.4 Understanding of the organization and its context Before siarting the design and implementation of the framework for maneging risk, itis important to evaluate ‘and understand both the external and internal context of the organization, since these can significantly influence the design of the framework. Evalualing the orgenizaton’s external context may include, but Is not limited to: a) 5) 2) the social and cutural, poltical, legal, regulatory, financial, technological, sconomic, natural and compottive environment, whether intomational, national, regional or local key divers and trends heving impact on the objectives of the organizetion; and relationships with, and perceptions and values of, external stakeholders Evaluating the orgenization’s internal context may include, but is rot limited to governance, organizational structure, roles and accountabilities; policies, objeciives. and the strategies thal ere in place to achieve them capabilities, understood in terms of resources and knowedge (6.9. capital. time systéms and technologies); people, processes, information systems, information flows and decision making processes (both formal and informal) relationships with, and perceptions and values of, intemal stakeholders: the organization's cultur standards, guidelines and models edopted by the organization; and the form and extent of contractual relationships. 43.2. Establishing risk management policy Tho risk managment policy should clearly state the organization's objectives for, and commitment to, risk ‘management and typically addresses the following: 10. the organization's rationale for managing nsk: links betwoon the organization's cbjectives and policies and the risk management policy; ‘accountabilties and responsibilities for managing risk; the way in which conficting interests are dealt with, (© 180 2000 — Al ights reserved tis 002000¢) FA ee ey ee ee ee mane 5 Sih tts lnapeel eon poate teed — commitment o review and improve the risk management policy end framework periodically and in response to an event or change in circumsiances. ‘The risk management policy should be communicated appropriately, 4.3.3 Accountability ‘The organization should ensure that there is accountabilty, authority and eppropriale competence for managing ‘isk, Including implementing and maintaining the risk management process and ensuring the adequacy, effectiveness and efficency of any contio's. This can be faciltated by: — Identifying risk owners that nave the accountabilty and authonty to manage risks: — identfying who is accountable for the development, implementation and maintenance of the framework for managing tisk; — Ieenttying otner responsibilities of people at all levels in ths organization for the risk management process; — establishing performance measurement and exiernal andior intemal reporting and escalation processes; and — ensuring appropriate levels of recognition. 4.3.4 Integration into organizational processes Risk management should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient. The tisk management process should become part of, and nat separate from, those orgenizatonal processes. in particular, risk management shoud De embedded Into the policy ‘evelopment, business and strategic planning and review, and change management processes. ‘There should be an organizalion-wide risk management plan to ensure that the risk management policy is implemented and that rsk management is emibedced in all of the organization's practices and processes. The risk management plan can be integrated into other organizational plans, such as a strategic plan. 43.5 Resources ‘The xganization shauld allocate appropriate resources for risk management. Consideration should be given to the following: — people, skills, experience ané competence: -— resources needed for each step of the r'sk management process; — the organization's processes, methods and tools to be used for managing risk; — documantad processes and procedures; — formation and knowledge managemant systems; and — training programmes. © 150 2008—Al rights rasarves " ISO 31000:2009(E) 4.3.8 Establishing internal communication and reporting mechanisms ‘The organization should estabi'sh internal communication and reporting mechanisms in order to support and encourage accountability and ownership of risk. These mechanisms chould eneure that: — key components of the risk management framework, and any subsequent mocifications, are ‘communicated appropriately there is adequate internal reporting on the framework, its effectiveness and the outcomes: — relevant information derived from the application of risk management is availeble at appropriate levels and times; and — there are processes for consultation with internal stakeholders. These mechanisms shoud, where appropriate, include processes to coneolidale risk information from a veriely of sources, and may need to consider the sensitivity of the information. 4.3.7 Establishing external communication and reporting mechanisms The organization should develop and implement @ plan as to how it will commuricaie with external stakeholders. This should involve — engaging appropriate extemal stakeholders and ensuring an effosve exchange of information — external reporting lo comply wih legal, regulatory, and governance requirements; — providing feedback and coporting on communication and consuteton; — using communication to bulé confidence in the organization; ard — communicating with stakeholders in the event of a ersis or contingency. Thesis mechanisms should, where appropriate, include orovesses to consolate risk information trom a variety of sources, and may need to consider the eoneltvty ef tho Infermatin, 4.4. Implementing risk management 4.441 Implementing the framework for managing risk Inimplementing tne organization's framework for menaging rs, the organization should — cette the appropriate timing and stategy for implementing the framework: — apply the risk management policy and process to the organizational processes, — comply with logal and regulatory requirements: — ensure that decision making, Including the development and setting of objectives, is aligned with the ‘cutcomes ct risk management processes; — hold information ane training sessions; ane — communicate and consult with stakeholders to ensuro that its risk management framework remains eppropnate. 12 (© 1S0.2000—Al fights reserved 4.4.2 Implementing the risk management process Risk management should be implemented by ensuring that the risk management process outined in Clause 5 1s appliec through a risk management plan at cll relevant levels and functions of the organization as part of its practices and processes. 4.5 Monitoring and review of the framework Inorder to eneure that risk management is effective and continues to support organizational performance, tho ‘organization shoud — measure risk management performanca against indicators, which are pericdically reviewed for ‘appropriateness; — periodically measure progress against, anc deviation from, the risk management pian; — periodically review whether the risk management framework, policy and plan are stil appropriate, given the erganizatons’ external and intemal context; — report on risk, progress with the risk management plan and how well the risk management policy Is being followed and — review the effectiveness ofthe risk management framework 4.6 Continual improvement of the framework Besed on resuts of monitoring and reviews, decisions should be made on how the risk management fremework, policy and plan can be Improved. These decisions should lead to improvements in the organzation's management of risk and ts risk management cuiture 5. Process 5.1 General ‘The risk management process should be — aniniogral partof management, — embecided in the culture and practices, and — ttilored to the business processes of the organizetion, It comprises the activities described in 5.2 to 9.0. The risk management process Is shown in Figure 3, (© 180 2009 ~All nights reserved 13 180 31000:2009(E) 52 ‘stablishing the context (5.3)+-— Risk assessment (6.4) kt Risk identification (6.4.2) k++ ‘Communication Monitoring and i a and fon PP Riskanalysis (54.3) b. i consultation review (5.8) (5.2) | _Risk evaluation (5.4.4) fp rf Risk treatment (5.5) he | -sltiideasietaemietls Figure 3 — Risk management process - Communication and consultation Cosfimunidation and consultation with external and internal stakeholders shoule take place during all stages of the risk managernent process. ‘Therefore, plans for communication and consultation should be developed al an early stage. These shiould address issues relating to the risk itself, ts causes, its consequences f known), and the measures being ‘taken to treat I. Effective external and internal communication and consultation should take place to ensure that those accountable for implementing the risk management process and stakeholders understand the basis on which decisions are made, and the reasons why particular actions are required, ‘A consultative team approach may: 4 help establish the context appropriately: ‘onsure thatthe interests of stakeholders are understood and considered: help ensure that risks are adequetely Mentitied bring different areas of expertise together for analyzing risks; ‘ensure that diferent views are appropriately considered when defning risk criterla and in evaluating risks; secure endorsement and support for a treatment plan’ (180 2008 — llrightsreserved aed Gs Soe :2009(E) — enhance appropriate change management during the risk management process; and — develop an appropriate external and internal communi lon and consultation pian. ‘Communication and consultation wih stakehclcers is Important as they make judgements abou risk based on their perceptions of risk. These porceptions can vary due to cifferences in values, needs, assumptions, ‘concepts and concerns of stakeholders. As their views can have a significant impact on the decisions made, the stakeholders’ perceptions should be identified, recorded, and taken into account in the decision making process. ‘Communication and consultation should faciltate truthful, relevant, accurate and understandable exchanges Of information, taking inio account confidential and personal integrity aspects 5.3. Establishing the context 3.3.1. General By establishing the coniext, the organization erticulates its objectives, dafines the external anc internal parameters to be taken into account when managing risk, and sets the scope and ‘isk orileria for the ‘Temaining process. While many cf these parameters are similar to inose considered in the design of the risk management framework (see 4.3.1), when eslablishing the context for the riex management process, they ‘need io be considered in greater detail and particularly how they relate to the scope of the particular risk management process. 53.2 Establishing the external context ‘The external context is the extemal environment in which the organization seeks to achieve its objectives, Understanding the external context is important in order to ensure that the objectives and concerns of external slakeholdsrs are considered when developing risk criteria, Il is based on te organization-wide context, but with spectfc details of legal and regulatory requirements, stakaholder perceptions and other aspects of risks ‘specific to the scope of the risk management process. ‘The external cortex can include, but is not limited to: — the social and cultural, politcal, legal. regulatory. financial, technological, economic, natural and competitive environment, whether international, nationel, regional or local; — key drivers and trends having impact on the objeciives of the orgenizaton; and relationships with, perceptions and values of extemal stakeholders. 5.3.3 Establishing the intornal context ‘The internal context is the intemal environmentin which the organization seeks to achieve its objectives. ‘The risk management process should be aligned with the organization's culture, processes, structure and stratagy, Internal context is anything within the organization that can influence the way in which an ‘organization will manage risk. It should be established because: 2) risk management takes place in the contex! of the objectives of the organizatior b) objectives and criterta of @ particular project, process or activily should be considered in the light of objectives of the organization as a whole; and 6) some organizations tail to recognize oppertunities to achieve their strategic, project or business objectives, and this affects ongoing organizational commitment, creciblity, trust ard value. (© 180 2009 Aras reserved 15 180 31000:2009(E) Itis necessary to understand the internal context. This can include, but is not limited to: — governance, organizational structure, roles and accountabilties; — policies, objectives, and the strategies thal are in place lo achieve them: capabilitios, understood in terme of resources and knowiedge (e.g. capital, tim systams and technologies); people, processes, — the relationships with and perceptions and values of internal stakeholders: — the organization's culture; information system, information flows and decision making processes (both formal and informal); — standards, guidelines and models adopted by the organization; and — form end extent of convectual relationships. 53.4 Establishing the context of the risk management process ‘The objectives, stratagies, scope and parameters of the activitiee of the organization, or those paris of the organization where the risk management process Is deing applied, should be established. The management of risk should be undertaken with full consideration of the nead to justify the resources used in carrying out risk management. The resources required, responsibilities end authorities, and the records to be kepl should algo be specified, ‘The context of the risk management process will vary according to the needs of an organization. Itcan involve, but is not limited to — defining the goa's and objeciives of the risk management activities; — defiring responsitilties for and within the risk management process; — ‘efining the scope, a5 well as the depth end breadth of the risk management activities to be carried out, including specific clusions and exclusions: — defining the activity, process, function, project, product, service or asset in terms of time and location;

    You might also like